If you think audits are tough now, just wait. Section 404 of the Sarbanes-Oxley Act of 2002 requires auditors to certify not just financial results but also the processes by which they are determined. The law mandates a formal audit — including documentation, testing, and certification — of a company's internal controls. The new requirement will give auditors a real say in how CFOs run their operations.
Just how much of a say wasn't totally clear until March, when the Public Company Accounting Oversight Board (PCAOB) issued its final standards, which stipulate that auditors give either a thumbs-up or thumbs-down to a company's internal controls, starting with "accelerated filers" (market caps over $75 million) whose fiscal years end on or after November 15. (The standard was awaiting approval from the Securities and Exchange Commission as CFO went to press.)
Before this ruling, if the auditors identified any material weakness in internal controls, they would merely send a letter to the audit committee detailing the problem. Now, weaknesses such as neglecting to get a second signature on certain checks or failing to properly document legacy software systems could mean a failing grade on internal controls. True, the auditor may still approve a company's financial statements. But failing the controls testing in a formal audit will undoubtedly lead investors to question the validity of financial results. And given the pressures auditors face, rumors are rampant that audit firms will fail a significant portion — some observers say 10 percent — of the companies they audit.
The prospect of failing the controls audit puts finance executives, who must issue their own assessment of internal controls (which also is subject to an audit), in a precarious position. They will have to find and publicly disclose any inadequate controls lest the auditors reveal them instead and report the company to the PCAOB. Then they can just hope that any resulting damage to their stock price and reputation from the disclosure is mitigated by admiration for their candor.
On the other hand, finance executives who are up to this challenge may gain a lot more internal clout as a result. "I have a big interest in well-controlled financial reports anyway," notes Gary Perlin, CFO of Capital One Financial Corp. So if any employee objects to the process, says Perlin, "all I have to do is say, 'Excuse me, it's the law.'" In other words, he adds, "404 is a benefit, because it lets me get people's attention." Perlin isn't the only finance executive who sees the rule in these terms. "I think I'm better for it," insists Keith Sherin, CFO and senior vice president of General Electric Co. "It helps increase my confidence in our financial integrity."
GE has already seen its payments to its auditor KPMG LLP increase 40 percent in 2003 (from $38.7 million to $55.3 million), in large part because of work related to Sarbox and Section 404. And 404 alone is expected to cost the average large company $4.6 million this year (including both internal and external expenses), according to a recent Financial Executives International (FEI) study. But that survey was conducted before the audit firms learned the full extent of their responsibilities. Given the provisions of the final standards, in particular the extensive testing requirements, the bills could be much higher than previously thought (see "Paying the Piper," at the end of this article). The question is, will companies besides GE and Capital One find the money well spent?
Requirements for adequate internal controls are not new. For the past 27 years, the SEC has demanded that public companies meet certain standards of control. As long ago as 1992, the Committee of Sponsoring Organizations of the Treadway Commission created a framework for evaluating them
Just maintaining internal controls, however, is no longer good enough. Sarbox requires companies to analyze and document their internal-control processes, which means they must in effect create elaborate procedural manuals and update them whenever a process changes. And before controls can be certified, both the company and its auditors must test them for their "design and operating effectiveness," says Stephen Poss, senior partner and chair of the securities litigation and SEC enforcement practice area at law firm Goodwin Procter LLP.
To do that, the final PCAOB standard — known as "Auditing Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" — requires auditors to examine the controls themselves and even conduct "walk-throughs" of important stages. There are limits on how much an auditor can rely on the work of others, even though internal finance staffs may have already tested the same processes. And because the audit covers the entire year, there are also extensive interim testing requirements.
Moreover, because the auditors are required to test anything materially significant to a company's financial statements, they must look for weaknesses in everything from how entries are consolidated and adjusted to what security controls are in place for accessing corporate technology.
What's still uncertain is just how far auditors will go in applying the new PCAOB standards. Their tests will vary "company to company and auditor to CFO," notes George P. Herrmann, vice president and CFO of Jefferson Wells International, a Brookfield, Wisconsin-based consultancy that specializes in internal controls. But factors such as the nature of the control, its complexity, and its frequency of use will all determine the extent of the testing, says Steve Wagner, a partner with Deloitte & Touche LLP and co-chair of its Sarbanes-Oxley steering committee.
Whatever is tested, the process promises to be extensive. According to the FEI survey, in fact, plan to document processes at 80 percent of their locations, and expect their auditors to test approximately 57 percent of those documented controls.
One thing is certain: the standards have greatly strengthened "the position and power of accounting firms," says Harold B. Finn III, founding partner of law firm Finn Dixon & Herling LLP. Because controls audits are uncharted territory, he explains, the auditors can extend the scope of their work as they go along. And because the work will be subject to review by the PCAOB, auditors have an interest in being as thorough as possible.
Public disclosure only heightens that interest. Previously, "material weaknesses received attention only at the board level and were not disclosed publicly," says Herrmann. But now, says Poss, "we live in a kind of binary world, where internal controls are either effective or not." Consequently, if an auditor does uncover a material weakness that isn't fixed, it must issue an unclean opinion.
What's more, companies may also no longer rely on their external auditor to help correct an internal-control problem during the audit. Instead, they must correct any material weakness they identify before the audit, and test the fix beforehand. As a result, the "timing of the fixes is very dicey," says Poss. Finance executives who fail to correct weaknesses in time will have no choice but to declare their controls ineffective.
That prospect should not be taken lightly, says Finn, given the close scrutiny that a failed controls audit would receive from the media, regulators, and plaintiffs' attorneys. Still, he predicts, "we will inevitably see a number of adverse opinions," and, possibly, attendant stock-price meltdowns, shareholder lawsuits, and SEC investigations.
Consequently, it behooves CFOs to understand not only their requirements, but also those of their auditors. In addition, they should be prepared to "move up more internal-control activities earlier in the year," says Poss. Most important, says Wayne Avellanet, who recently authored a compliance manual for Section 404 (Warren, Gorham & Lamont, 2004), finance executives must come to grips with their own control systems. "If you are paying attention to your own organization," says Avellanet, a divisional manager of internal control for SST Truck Co., "you will know where the problems are." And, he adds, "if you can't fix them, be honest about them."
Lori Calabro is a deputy editor of CFO.
Paying the Piper
In announcing the new section 404 standards, Public Company Accounting Oversight Board (PCAOB) member Kayla Gillan warned auditors that the standards weren't an excuse to "price gouge" clients. Yet audit fees are expected to climb 38 percent this year at Fortune 500 companies because of 404, according to Public Accounting Report newsletter. That's on top of the increases that firms have already seen from overall Sarbanes-Oxley Act compliance.
In fact, the cost of Sarbox is just starting to be disclosed. In 2003, for example First Charter Corp., of Charlotte, North Carolina, saw its audit fees rise 37.5 percent. And General Electric Co. saw a similar increase — 40 percent — in large part because of work related to Sarbox and 404. CFO Keith Sherin expects to spend about the same amount this year to test all SEC registrants against the PCAOB standards. But unlike many other companies, GE was able to get an estimate on 404 costs up front from KPMG LLP.
Other companies haven't been so fortunate. At Capital One Financial Corp., for example, CFO Gary Perlin says the firm has "not come to terms with what the fees are" in its arrangement with Ernst & Young. "We left that line blank," he says, explaining that the final tab will depend on the "amount of individual testing" the auditor has to perform.
In hopes of limiting internal expenses, Capital One is educating and encouraging its business units to plan for their Section 404 testing requirements. Ultimately, says Perlin, "we will not pay centrally for any remediation. We will not subsidize poor management." Yet he acknowledges that this won't affect the overall tab much. In the end, he says, "there is no way to avoid paying the piper."